Getting to the Crux (Ransomware) of the Matter

Description

A new ransomware variant named Crux has been identified, claiming association with the BlackByte group. Observed in three separate incidents, Crux encrypts files with a .crux extension and leaves ransom notes. Initial access appears to involve Remote Desktop Protocol (RDP) using valid credentials. The ransomware executable, with varying names and locations, follows a distinct process tree involving svchost.exe, cmd.exe, and bcdedit.exe. It disables system recovery to hinder restoration attempts. Data exfiltration using Rclone was observed in one incident. The threat actor demonstrates prior knowledge of targeted infrastructures and prefers using legitimate Windows processes. While claiming BlackByte affiliation, this hasn't been independently verified.